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Authorisation _ 

The present invention relates to authorisation, in particular to authorisation using 
a digital certificate. 

^ 't is know to use digital certificates to authorise a node or a user, for example to 

authorise the node or user access to data or services. Such certificates normally have a 
digital signature which is encrypted using a public key cryptography system. The digital 
signature is normally a function of the characters forming the message content of the 
certificate, such that a recipient can perform a function on the signature in order to 
1 0 determine with some degree of certainty that a received certificate has not been altered. 

According to one aspect of the invention, there is provided a method of 
authorising data transfer to a mobile node, the method including the steps of: receiving a 
digital certificate from the mobile node, the digital certificate including a message body, a 
digital signature for verifying the content of the message body, and, geographical 
5 information derived from a physical location; performing a comparison between the 
geographical information of the certificate and a further item of geographical information; 
and, making an authorisation decision in dependence on the result of the comparison. 

Further aspects of the invention, including a method of generating a digital 
certificate, are provided as specified in the appended claims. 
0 The present invention is described in further detail below, by way of example, 

with reference to the following drawings in which: 

Figure 1 shows a network system according to the present invention; 
Figure 2 is a schematic representation of a digital certificate; 
Figure 3 is a schematic representation of message flows between nodes; 
5 Figure 4 shows the transfer of messages involved in the creation of a security 

association; and, 

Figure 5 is a more detailed exampled of a certificate. 

In Figure 1 , there is shown a network system 10 having a main network 12 and at 
least one mobile node 14. The main network, which is preferably static, has a plurality of 
nodes 16 connected by links 18. Each node has an address, the addresses of the main 
network being arranged in a hierarchical system, such that the address of a node will 
normally indicate the topological position of that node. In the present example, the 
addresses of the nodes are addressed according to the Internet Protocol, preferably 
version V6. 
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The mobile node 14 is configured to make a temporary connection with any one 
of a plurality of spaced apart attachment points 20 of the main network 12. Each 
attachment point will normally have a node, termed a foreign agent (FA) node 22 
associated therewith (only one is shown for clarity). The foreign agent will normally issue 
5 the mobile node with a temporary address, which address is topologically related to that of 
the issuing foreign agent, (for example, the addresses may share a common prefix 
portion) such that packets addressed to the temporary or "care-of" address of the mobile 
node will be routed by the network to the foreign agent, which can then forward the 
packets to the mobile nodes. 
10 The mobile node has an associated Home Agent (HA) node in the main network 

12. The association between the mobile node and its home agent is formed at least in 
part by a permanent address allocated by the home agent to the mobile node, which the 
mobile node retains as it moves from one attachment point to another. The permanent or 
"home" address of the mobile node will be topologically related to the address of the home 
15 agent (for example by sharing a common prefix portion with the home agent address) 
such that packets from a caller node 26 (CN) addressed to the home address of the 
mobile node can be intercepted by the home agent. To allow thahome agent to forward a 
packet from the caller node 26 towards the current attachment point of the mobile node, 
the home agent will store a mapping between the current care-of address of the mobile 
20 node and its home address, which mapping will be updated when the mobile node 
attaches to a new attachment point, that is, when the mobile node transmits a binding 
update to its home agent informing the home agent of its new care-of address. 

The mobile node may be a router or a communications device on a vehicle, or 
otherwise the mobile node may be a portable device, such as a laptop computer, or 
25 another type of movable device. Preferably, the mobile node will have temporary 
connection means 32 for making a temporary connection 34 with an attachment point, for 
example a radio receiver and/or transmitter for making a radio connection 34, or a 
releasable electrical or optical connecter arrangement. 

There are many circumstances in which authentication or other authorisation will 
30 be desirable before secure or reliable communication between two nodes is established. 
For example, the home agent for the mobile node may require proof of the identity of the 
mobile node before accepting a binding update, so as to reduce the risk of traffic intended 
for the mobile node being inadvertently forwarded by the home agent to a fraudulent 
node. The need for efficient security processes is particularly important in the case of 
. 35 traffic relating to a mobile node, since the topologically correct address of a mobile node is 
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temporary, that is, changeable as the mobile node moves. However, there are other 
situations where authorisation or authentication can be important: for example, the home 
agent may have a policy of only passing infomnation to specified foreign agents, or 
likewise, a foreign agent may have a policy of only allowing mobile nodes to attach to it 
5 whose identity or other characteristics fall within a specified or predetermined category. 

To reduce the risk of fraudulent authentication or authorisation, or other data 
transfer taking place, the rnain network 12 will normally include a certificate authority 
agent, here implemented as a certificate authority (CA) node 28. (It will be appreciated 
that the nodes CA, FA, MN, and HA will be implemented on hardware which will include at 
1 0 least one memory and at least one processor means, the hardware and software running 
thereon being located at a single node or othen^se being distributed over spaced apart 
hardware apparatus, for example over a plurality of nodes). 

The certificate authority will normally employ a Public Key (PKI) encryption 
system. In such a system, also known as asymmetric key cryptography, an entity (such 
15 as a person or node) has associated therewith a pair of keys: a public key which is 
publicly accessible, for example by being distributed or being placed in a public directory; 
and, a private key; only accessible to the entity with which the pair of keys is associated. 
The pair of keys is mathematically linked, for example according to a known protocol 
developed by Diffie and Hellman. The mathematical function relating the two keys to one 
20 another is such that it Is difficult, preferably unfeasible, to derive the private key from the 
related public key. This may be achieved for example by^a function which requires an 
impractically large number to be factored in order to obtain the private key. Thus, a first 
person wishing to send an encrypted message for transmission to a second person can 
look up the public key associated with the first person in a public (and trusted) directory, 
25 and encrypt the message with the second person's public key. The second person can 
use their private key to decrypt the message. In this way, public key cryptography can be 
considered to be based on a one-way function, that is, a function which is significantly 
easier to perform in the fonward direction than In the reverse direction. The public key 
provides an indication of an instance of the function, and the private key allows the 
30 function to be performed in the reverse direction. 

In order to generate a certificate, the certificate authority will form a digital 
signature in association with the information content of the certificate. The digital 
signature will be the result of a mathematical algorithm, function, or other computation 
having as input parameters (a) the message content of the certificate, (b) the private key 
35 of the certificate authority, in particular, the digital signature will preferably be the result of 
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the encryption procedure using the private key of the certificate authority. A person 
wishing to read the certificate can then "de-crypt" the digital signature using the public key 
of the certificate authority (or equivalently, perfornn a function to generate signature 
information related to the encrypted signature). A checking algorithm can then be 
5 performed using the digital signature and the message content as input parameters to 
determine whether the received message corresponds to the digital signature, in particular 
whether the received message is the same as the transmitted message used to generate 
the digital signature. This is possible because for a given private key, the digital signature 
is (almost) unique to the message: that is, the likelihood of two different (non-identical 
10 messages) returning the same (even unencrypted) signature is very low. Furthermore, 
because the digital signature is encrypted, it is difficult for an unauthorised person to 
change the signature so as to reflect any changes that unauthorised person may have 
made to the message. In this way, the digital signature is indicative of the message 
content such that by performing predetermined respective functions on the received 
15 message content and the digital signature, and by comparing the results of those 
functions, it is possible to determine if the message content as received has been altered. 

In more detail, to generate a certificate, the certificate authority will: perform a 
"hash" function on the certificate (message) content, or other function chosen such that 
there is a low likelihood of two different contents yielding the same result. The result of 
20 the hash function, known as the message digest, is then encrypted using the certificate 
authority's private key according to a PKl protocol. A recipient can then perform a 
recipient computation, related to that used to create the signature, the recipient 
computation function involving the message content, the received signature, and the 
sender's (here the certificate authority) signature. If the result is correct according to a 
25 predetermined mathematical relation, the signature can be deemed genuine, and the 
message content is unlikely to have been altered. 

In more detail, a recipient can: "de-crypt" the signature using the public key, in 
order to obtain the message digest (or related information); perform the same hash 
function on the received message as was performed on the sent message; and, compare 
30 one message digest with the other. If these are the same, the signature is deemed 
genuine. When an entity (the issuee) is issued a certificate by the certificate authority, the 
message content of the certificate will normally contain at least some of the following 
items of information: name of issuing certificate authority; the public key of the certificate 
authority; an expiration date of the public key; the name or an identifier of the issuee; and, 
35 the public key of the issuee. 
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In addition, the message content will include location object Identifier, or other 
geographical information, which geographical Information is derived from a physical 
geographical position or an indication thereof. Examples of geographical Information 
Include; a latitude and longitude value (with optionally an altitude value); a map reference; 
5 a known place name; a street or road name; and, a street junction. Since geographical 
Information is derived from a geographical location, it will be more reliable as an Indication 
of position than other information such as an IP address, from which geographical position 
can sometimes be inferred. 

A certificate 50 Is Illustrated In Figure 2. which shows: the message content 52; 
10 items of infontiation such as geographical information 54; an identifier 56; and. the digital 
signature 58. 

When the certificate authority issues a certificate to a node, the certificate 
authority will transmit the certificate to the requesting node over the network 12; that is, 
through one or more routing node 161 and links 18. The requesting node can then store 
15 the certificate in a memory, preferably in a local memory 30. such that the certificate can 
be transmitted to another node when needed, for example when information or services 
are required from that node. 

1 

Returning to the situation shown in Figure 1, the mobile node 14 will be Issued 
with a certificate by the certificate authority 28. The certificate for the mobile node will 
20 normally have geographical information indicative of an area associated with the home ' 
agent's physical location, but the geographical information in the mobile nodes certificate 
may be other static geographical information, for example information relating to the 
owner's place of residence. In more detail, the geographical information will normally be 
in the form of a value associated with a location object identifier. Ukewise, the home 
25 agent and foreign agent are also sent respective certificates by the certificate authority 28. 
The value for the location objection identifier for the home agent and foreign agent 
correspond to their respective physical locations as expressed In latitude and longitude. 
In this example, the value of the location object identifier for the mobile node corresponds 
to that of the home agent. 

30 The steps involved in the attachment of the mobile node to the main network are 

shown schematically in Figure 3, in which information flow is Indicated by arrows, 
increasing time being in the downward direction on the page. To begin the attachment 
process, the mobile node sends an initial registration packet to the foreign agent, which 
packet is "dropped" or read at the foreign agent. The initial packet triggers the start of an 

35 Internet Key Exchange (IKE) process for establishing a security association between the 
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mobile node and the foreign agent, in which process protocols are agreed. Once a secure 
association has been established, the mobile node may send encrypted traffic to the 
foreign agent. 

As part of the registration process between the mobile node and the foreign 
5 agent, the mobile node will send its certificate to the foreign agent. The foreign agent can 
then: de-crypt the digital signature using the public key of the certificate authority, which 
public key the foreign agent may obtain from the certificate authority itself; perform a 
function on the content, which function (normally a hash function) has previously agreed 
(for example during the IKE procedure on the message); compare the result of the 

10 function with the decrypted signature; and, if the comparison indicate a match, treat the 
certificate as genuine. Assuming the certificate is genuine (or to ascertain or further verify 
that the certificate is genuine), the foreign agent can then extract the location object 
identifier from the message content of the certificate. The foreign agent may be 
configured to make a decision as to whether to grant or refuse foreign agent functionality 

15 to a mobile node in dependence on the geographical information in the mobile nodes 
certificate. In particular, the foreign agent may be configured to compare the location 
object identifier of the mobile node to information indicative of the foreign agent's own 
physical location information, which may be stored locally, and only grant access if the two 
items of location information have a specified characteristic in common. For example, 

20 access may only be granted if the location information of the mobile node and foreign 
agent indicate respective positions within the same specified geographical area or within a 
specified distance of one another. In this way, the foreign agent can be configured to only 
grant access to a mobile node which originates from the same geographical district or 
country as the foreign agent. 

25 Assuming that the foreign agent can grant access, or provide other foreign agent 

functionality for the mobile node, the foreign agent will attempt to register with the home 
agent. To start this process, the foreign agent will transmit an initial registration packet, 
which packet is "dropped" at the home agent. This dropped packet initiates an IKE 
procedure as indicated in Figure 4. The home agent will receive a certificate from the 

30 foreign agent, and perform similar steps to those outlined above to determine whether the 
certificate is genuine. Again, the home agent may extract the location object identifier 
from the certificate of the foreign agent and may perform a comparison between the 
location object identifier and other stored geographical information. In particular, the 
home agent may compare the location object identifier against an expected location object 

35 identifier stored at a registry 36, which registry may store location object identifiers 




respectively mapped to the identity of mobile nodes. Thus, the location object identifier in 
the certificate may serve to provide an additional security test in order to authenticate the 
foreign agent. 

Once the mobile node is registered with the foreign agent, and the foreign agent 
5 is registered with the home agent, a secure association is formed on the one hand 
between the mobile node and the foreign agent, and on the other between the foreign 
agent and the home agent. Encrypted traffic can then be transmitted from the mobile 
node to the foreign agent, and then fonwarded by the foreign agent to the home agent. 

As the certificate is used for authentication in this secure association creation 
10 process, the location information contained In the certificate, and the associated IP 
address can be extracted and stored for future use. The home agent will normally have a 
security policy that grants or denies mobile IP semces in dependence upon the location of 
the foreign agent. When a request for a mobile IP registration arrives at the home agent, 
the home agent may use the IP address of the request message to obtain the location of 
15 the care-of address for the mobile node. However, the certificate from the foreign agent 
will preferably be used to obtain the physical location of the foreign agent (or a 
confirmation thereof), as this is more reliable. Once the location of the foreign agent has 
been obtained, it can be compared against a policy associated with that location. If the 
mobile node is allowed mobile IP surfaces from the location of the foreign agent (the 
20 location of the mobile node being inferred from that of the foreign agent), then a 
registration-successful message will be sent back to the foreign agent, else a registration- 
unsuccessful message will be sent back. 

It can be seen from the above that the location information In a certificate can be 
used by a node when deciding whether to provide information. In particular, the location 
25 information extracted from a certificate can be compared with stored location information, 
such that the decision as to whether surfaces are to be provided can be made at least in 
part in dependence upon the comparison between the extracted location Information and 
the stored location information. 

Further details on the implementation of one embodiment of the Invention are 
30 provided below: the operating used is FreeBSD [FreeBSD]. The Internet Key Exchange 
(IKE) implementation comes from KAME [kame], the secure socket layer implementation 
comes from the openssi organisation [openssi] and the mobile IP Implementation from 
Portland State University [psu]. The openssi code is used by the KAME IKE 
implementation. It is also assumed that security policy exists that state that secure 
35 communication must exist between the MN and the FA and also between the FA and the 



8 



HA. One stage is to introduce tlie location attribute into tlie certificate. This is done by 
introducing a new object identifier of type 2.5.5.4 [oid] and associating a value with this 
corresponding to the location expressed as x, y pair. It is also possible to include an 
altitude attribute as x, y, z where z represents the altitude although this was not done in 
5 this implementation. An example of such a certificate is shown in Figure 5 with the 
location object identifier and associated value shown. Another stage is to configure the 
IKE daemon, racoon [kane], to use certificates rather than pre-shared secrets. As shown 
schematically in Figure 3, the sending of the registration packet from the MN to FA 
initiates the generation of a security association between them. Lets focus on the creation 

10 of security associations between the FA and the HA since the creation of security 
associations between the FA and the MN is as described in standards [RFC2002]. Figure 
4 shows the sequence of messages that occur in phase 1 of the creation of secure 
associations using IKE. Note that in Figure 4, the certificate payload has to be present 
since it may not be possible for the FA and the HA to get the certificate from other 

15 sources, say secure DNS. Where the diagram ends, phase 2 of the IKE processing can 
take place to create the IPsec secure association proper. It is intended to send the valid 
certificate to a local listener that will store the location and the IP address in a local file. 
The message from the IKE daemon is parsed. With regard to the processing of the 
certificate payload: the function saveFaLocation (currentLocation, ip_address) saves the 

20 location seen in the certificate and the associated ip address as a tuple in an ascii file. 
This file can then be read by other applications that require location dependent 
information. The home agent may have a policy for allowing mobility, which could be 
refined by defining bounded polygons for location, as in [RFC2009]. 
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CLAIMS 

1 . A method of authorising data transfer to a mobile node, the method including the steps 
of: receiving a digital certificate from the mobile node, the digital certificate Including a 

5 message body, a digital signature for verifying the content of the message body, and, 
geographical information derived from a physical location; performing a comparison 
between the geographical information of the certificate and a further item of geographical 
information; and, making an authorisation decision In dependence on the result of the 
comparison. 

10 

2. A method as claimed in claim 1 , wherein the digital certificate Is suitable for use in a 
public key encryption system 

3. A method as claimed in claim 2, wherein the certificate Is generated at a certificating 
15 node having a public key and a private key associated therewith, and wherein the 

signature is a function, at least in part, of the private key of the certificate node 

4. A method as claimed In claim 2 or claim 3, including the step of verifying the 
authenticity of the digital certificate by performing a computation on at least part of 

20 certificate, the computation Involving the public key associated with the certificate node. 

5. A method as claimed any preceding claim, wherein the mobile node Is configured to 
form a temporary attachment to an attachment point of a main network, and wherein the 
digital certificate Is received at a network node in the main network. 

15 

6. A method as claimed in claim 5, wherein the attachment point has a fonwarding node 
associated therewith for fonwarding messages to and/or from the mobile node, and 
wherein the forwarding node has a digital certificate associated therewith, which certificate 
include geographical information derived from the physical location of the forwarding 

0 node, the method including the steps of: at the network node, receiving the digital 
certificate from the fonwarding node; and, making an authorisation decision In dependence 
on the geographical Information of the certificate from the forwarding node. 
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7. A method as ciaimed in claim 6, wherein the authorisation decision includes the step of 
inferring the location of the mobile node from the geographical information in the 
certificate of the forwarding node. 

5 8. A method as claimed in any of claims 5 to 7, wherein the mobile node has a temporary 
address and a permanent address associated therewith, 

9. A method as claimed in claim 8, wherein the temporary address of the mobile node Is 
indicative of the topological position of the current point of attachment of the mobile node, 

10 

10. A method as claimed in claim 8 or claim 9, including the steps of: (i) intercepting 
packets addressed to the permanent address of the mobile node; and, (il) forwarding the 
intercepted packets towards the temporary address of mobile node, at least one of steps 
(i) and (ii) being authorised in dependence on the result of the comparison. 

^ 15 

1 1. A method as claimed in any preceding claim, including an authentication step, 

12. A network node for authorising the transfer of data to a mobile node, wherein the 
network node is configured, in response to receiving a digital certificate from the mobile 

20 node, to read at least part of the digital certificate, the digital certificate including 
geographical information derived from a physical location, and wherein the network node 
is further configured to: perform a comparison between the geographical information of 
the certificate and a further item of geographical information; and, in dependence on the 
result of the comparison, make an authorisation decision, 

25 

13. A method of generating a digital certificate for use in an authorisation decision, the 
digital certificate being suitable for use in a public key cryptography protocol in which a 
message can be encrypted with a public key and decrypted with a private key, the digital 
certificate having a message body and a digital signature for verifying the message body, 

30 the method including the steps of: including geographical information in the message 
body, the geographical information being derived from a physical location; and, performing 
a computation involving the message body and a private key in order to form the digital 
signature. 
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14. A method of authorising a user, the method including the steps of: receiving a digital 
certificate from the user, the digital certificate including a message body, a digital 
signature for verifying the content of the message body, and, geographical information 
derived from a physical location; performing a comparison between the geographical 
5 information of the certificate and a further item of geographical information; and, making 
an authorisation decision in dependence on the result of the comparison. 
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ABSTRACT 
Authorisation 

The present invention relates to authentication, in particular to authentication using a 
5 digital certificate. The digital certificate includes geographical information derived from a 
physical location. A comparison between the geographical information of the certificate 
and a further item of geographical information can be performed. An authorisation 
decision can then be made in dependence on the result of the comparison. 
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Certificate: 
Data: 

Vers ion J 3 (0x2) 
Serial Number: 3 (0x3) 

Signature Algorithm: mdSWithRSAEncryption 
Issuer: C=UK, ST»Suffolk, Ij«Ipgwich, 0«BT, OU==BTexat, 
CT^Administrat or/Email sparminder.mdharobt . com/ 2 .5. 5. 4=123456, 12345S 
Validity 

Not Before! Jul 11 13:14:30 2002 GMT 
Not After : Jul 11 13:14:30 2003 GMT 
Subject; C?=UK, ST«Suffol3c* 0=BT, OU=BTexat, 
CN=Singh/ Email ssparminder . mudharsbt . com/ 2.5.5.4=123,345 
Subject Public Key Info: 

Public Key Algorithm: rsaEncryption 
RSA Public Key: {1024 bit) 
Modulus (1024 bit) : 

"* ~" 00:b5 :09:9d:5a:b5:4e:30:85:c4:68:c2 :C3:53 :13~: 1 . 

e? : a4 : f e ! f 0 : 2c ; 22 : f 2 : de : 55 : e9 : 50 : 8e : 4a: 5f : 93 : ! 
39:35 :cf ;10:f4:b9:ld:b5:b8:56:37:94 :b5:a6:67: j 
70:eO:ee;e8:b5:Ob:15:eO:01:C4:SS:69:f4:05:72: \ 
3a:la:ia:22:38:37:dd:ca:9e:9a:74 :22:75:73 :e6: \^ 
le : 6b : 9d : lb : 4 8 : f 6 : d4 : 10 : a7 : cb : Cl ; C2 : C7 : bS ; c9 : 
61:91:dO:Qf :4a:b8:71;3c:CC:90:da;e9:74:fC:ll: 
4C:5b:43 :51:f 6:bc:06j57:5a:06:ed:9e:ed:8d:54: 
65 :62 :ea:a9 :7C: fa:88:01:Cd 
Exponent: 65 S3 7 (0x10001) 
X509v3 extensions: 

X509v3 Basic Constraints: 

CA : FALSE 
X509V3 Key Usage: ^ 

Digital Signature, Non Repudiation, Key Enciplxerment 
Netscape Comment: 

OpenSSL Generated Certificate 
X509V3 Subject Key Identifier: 

58 : 07 : CO : 76 : SB : DF : BB : 2B : 23 : 92 : 3D : 03 ; BF ; EC : E8 : F5 : OC : 32 : 39 : 5E 
X5 09v3 Authority Key Identifier: 

keyid : B3 : 43 : C9 : 28 : B7 : 44 ; 9E ; 5F : 83 : FB : Dl : 57 : 8 5 : EO : EF : EB : 9C : FP : DC: 65 
DirMame : /C«UK/ST=Suf f olk/L=Ipswich/O«BT/O0=:BTexat/ 

CN=Administrator/Email=parminder . mudharSbt . com/ 

2.5.5 .4«1234 56, 123456 

serial : 00 

XS09v3 Subject Alternative Name: 
IP Address:192.168,7.3, 
DNS : parminder_home . futures .bt.co.u3c, email : parminder , mudhar®bt . com 
Signature Algorithm: mdSWithRSAEncryption 

06:7f :b3:48 :bS :93 :eO:ll: 69 :d7: cc: 61:2e:64 :e9 :bd:01: 8C: 
68:dc:a3:4b:be:e0:d2!21:17:98:86:21:9b:cb:73;3f :Cf :2c; 
7e:la:a4:ad:aS : el :be:fd: Ob: 82: 7e: 85: f4 : 96: 8as65 :3a :22: 
4a:fd:Cd:64:91:3e:44:65:6c:24:80:01:77:f5:f4:4d:83:a2: 
d9:14;62:8e:71:99:74:28:3d:dl:45 :51:90:9S:19:a3:9a:e7: 
llsaa : 74 :50:8f:f0:b5:8d: 97:71: 6b:b7:7a:34:8e:00:S9:f9: 
68;e8:f8:af :76:2a:43:4b:c6:65:53 :a6;cl:71:d3:18:8aj59: 
d5:cb!58:34:a£:40:8e:83;e3 :3S :b6 :70 J 33 : 54 : e4 :d4:98:fe: 
dS :60 :61:a8 r64:9d:9d:8a:c9:18:a4 scl leS ; IS : 69 :4e: S7 : 19 s 
18 J 71 : d6 : 7e :37 ; 5a:d0 : 29 : ef : €6 : 9e :19 :CC : 47 : 82 : cS : 20 : ef : 
75;6b: Of :29:54 I 68 :e2:2d:lS :3c:cc:ae:43 :af : 98 :df : 18 : SS : 
a8jfb:Sf :df :39:45:6c: 00 :f 3:26:47 : 88:97 :b6: 63:74 :de:ac: 
91;e4 :a9:cb :e8 :30:8b: 64! 30: 09:42 :cl;44 !db:f9:49:38:92: 
f3 j7a:Cl:2b:le:fa:4d:7f :38:e3 ;e0 :76 :32 : 84 :c8 :5a :CC: a5 ; 
73 ; 11 : f 2 : a8 




